Ga. Elections Chief Kemp Plans Changes After Security Issues

FILE - In this Sept. 29, 2014 file photo, Secretary of State Brian Kemp announces a March 6, 2012 date, as Georgia's 2012 presidential primary at a news conference in Atlanta. On the gridiron, it takes a team to win, and some elected officials around the South are looking to band together rather than brawl over the 2016 presidential primaries. Kemp is among those pushing a regional March 1, 2016 contest known as the “SEC Primary,” named after the Southeastern Conference and would include such Southern states as Georgia, Tennessee, Arkansas and Mississippi and possibly Alabama and Louisiana as well. (AP Photo/David Goldman)

Republican Secretary of State Brian Kemp called it an attempted federal takeover and insisted his office was already protecting Georgia’s vote from hackers.

That stance earned him national media coverage ahead of his campaign for governor. But Kemp’s assurances threatened to become a liability after new details emerged last month about major security mistakes at the center managing Georgia’s election technology.

It turns out that the contractor left critical data wide open for months on the internet, and that for the second time under Kemp’s tenure, the personal information of every Georgia voter was exposed.

With his critics demanding accountability, Kemp announced Friday that he plans to bring the center’s operations in-house within a year. His brief statement made no mention of the security flaws, saying “the ever-changing landscape of technology demands that we change with it.”

“The Secretary of State’s office is equipped, trained, and tested to handle these operations in-house. I am confident that this move will ensure Georgia continues to have secure, accessible, and fair elections for years to come,” his statement said.

Elections Work Outsourced

Georgia effectively outsourced management of the touch-screen voting machines it adopted statewide 15 years ago to the center, which earned $792,000 in its most recent annual contract.

The work has been all-encompassing, from designing ballots to creating memory cards with lists of registered voters for each county to testing and certifying each piece of equipment after repairs. The new, $815,000 contract Kemp announced last week calls for moving that work to the Secretary of State’s office by June 30, 2018.

Merle King, the center’s director, didn’t immediately reply to an email seeking comment about the change. He had referred earlier questions about the mistakes to Kennesaw State University, which houses the center.

Its president, Sam Olens, issued a brief statement: “We support the Secretary of State’s decision and look forward to helping facilitate a smooth transition.”

Security Concerns Publicized

Details first made public last month raised questions about the center’s security measures. A cybersecurity expert warned King in August — only days after Kemp turned away federal help — that he had been able to copy records on Georgia’s 6.7 million voters and other critical documents from the center’s public website, including passwords poll workers used to sign into a central server on Election Day. The same data was available seven months later, the university determined.

This extended exposure was first detailed by Politico magazine in June, raising the heat on Kemp, whose office mistakenly sent out CDs containing the birth dates and Social Security numbers of every registered voter in 2015, costing the state $1.2 million for credit monitoring.

Republican state Rep. Scot Turner called it a “series of botches.”

“My criticism of him isn’t personal and it’s not political,” Turner said. “It’s based on having a factual discussion of what’s going on, without politicizing it, because it’s so important we get this right.”

Voter ID Laws

Republican secretaries of state commonly build their profiles backing strict voter identification laws, but Kemp’s predecessor, Republican Karen Handel, had already implemented one. Kemp also used intensive procedures to verify voters’ registration status, prompting accusations from the American Civil Liberties Union, the Georgia NAACP and Common Cause that thousands of eligible citizens lost their right to vote.

When launching his gubernatorial bid this April, Kemp said their lawsuits were trying to “undermine the integrity of the ballot box.” And when voting-rights activists demanded an independent, systemwide security review ahead of Handel’s June 20 special congressional election victory, Kemp dismissed their experts as “Ivy League professors.”

A judge dismissed their challenge in early June, ruling that Kemp had immunity and she saw no evidence of harm justifying drastic changes with early voting already underway. Kemp said the ruling verified “voting machines in Georgia are safe and accurate.”

Then Politico revealed details of the center’s mistakes: that researcher Logan Lamb alerted King in August, warning him to assume that the exposed data had been downloaded already. Lamb said he followed King’s directive to keep quiet until telling a colleague who checked the site and found the data still exposed months later.

According to their emails, obtained by voting-technology activists, KSU officials were most concerned that the “personally identifiable information” of all registered voters had been easily accessible. If that data had been “maliciously disclosed,” the credit monitoring for affected voters would cost about $2 million, it said.

A damning report by KSU’s information technology department also said the center’s reportedly secure private network for creating and testing ballots was in a closet with a live internet connection and a door that “was not latching properly,” in an office with a wireless access point.

Who’s To Blame?

King told the AP that he “did not believe there was any risk” after speaking with Lamb in August.

“In hindsight, I should have let (Kemp) know that I had been contacted,” he wrote in an email to the AP. “The responsibility for maintaining the security of the data entrusted to the center is ours.”

Kemp called it “inexcusable” that he didn’t learn of the security lapses until March. He said the center “didn’t report back to us in the middle of the most critical time — when all we were literally talking about was cybersecurity. And even though they knew it, they didn’t follow up on it. I think that blame is clearly on them.”

More than three months later, Kemp announced the change.

Common Cause Georgia’s director, Sara Henderson, told the AP before Kemp’s announcement that she questions his commitment to voting security.

“Running elections across the state is a nonpartisan issue and the fundamental task of the secretary of state. If he can’t accomplish that, why can Georgians trust him as governor?”